WPBeginner

Beginner's Guide for WordPress

  • Blog
    • Beginners Guide
    • News
    • Opinion
    • Showcase
    • Themes
    • Tutorials
    • WordPress Plugins
  • Start Here
    • How to Start a Blog
    • Create a Website
    • Start an Online Store
    • Best Website Builder
    • Email Marketing
    • WordPress Hosting
    • Business Name Ideas
  • Deals
    • Bluehost Coupon
    • SiteGround Coupon
    • WP Engine Coupon
    • HostGator Coupon
    • Domain.com Coupon
    • Constant Contact
    • View All Deals »
  • Glossary
  • Videos
  • Products
X
☰
Beginner's Guide for WordPress / Start your WordPress Blog in minutes
Choosing the Best
WordPress Hosting
How to Easily
Install WordPress
Recommended
WordPress Plugins
View all Guides

WPBeginner» Blog» Plugins» How to Add Two-Factor Authentication in WordPress for Free

How to Add Two-Factor Authentication in WordPress for Free

Last updated on June 21st, 2017 by Editorial Staff
262 Shares
Share
Tweet
Share
Pin
Free WordPress Video Tutorials on YouTube by WPBeginner
How to Add Two-Factor Authentication in WordPress for Free

Have you noticed how popular sites like Facebook and Google are now giving you the ability to add two-factor authentication to improve security? Well now you can add two-factor authentication to your WordPress site. This ensures maximum security for your WordPress site. In this article, we will show you how to add two-factor authentication for WordPress using both Google Authenticator as well as SMS text message.

How to add 2-factor SMS verification for WordPress login

Why Add Two-Factor Authentication for WordPress Login?

One of the most common tricks hackers use is called brute force attacks. By using automated scripts, hackers try to guess username and password to break into a WordPress site.

If they steal your password or accurately guess it, then they can infect your website with malware.

One of the easiest ways to protect your WordPress website against stolen password is to add two-factor authentication. This way even if someone stole your password, they will need to enter a security code from your phone to gain access.

There are two ways to setup two-factor authentication in WordPress:

  1. SMS Verification – where you receive the verification code via text message.
  2. Google Authenticator App – Fallback option where you receive the verification code in an app.

Let’s take a look at how to easily add two-factor verification to your WordPress login screen for free.

1. Adding 2-Step SMS Verification to WordPress Login Screen

This method adds a 2-Step SMS verification to your WordPress login screen. After entering the WordPress username and password, you will receive a text message via SMS on your phone with a code.

First you will need to install the Two Factor and Two Factor SMS plugins. For more details, see our step by step guide on how to install a WordPress plugin.

The first plugin which is called Two Factor provides multiple ways to set up 2-step verification in WordPress. The second plugin, which is called Two Factor SMS is an addon for the first plugin. It adds support for 2-Step SMS verification. You will need both these plugins installed and activated.

Upon activation, you need to head over to Users » Your Profile page and scroll down to Two Factor Options section.

Select SMS Twilio is your 2-step method

Check the box next to ‘SMS (Twilio)’ option and also click the radio button to make it your primary verification method.

After that scroll down to the Twilio section.

Twilio settings

You will be asked to provide your Twilio account information.

Twilio is an online service that offers phone, voice messaging, and SMS services to use with your own applications. They also have a limited free plan which would be sufficient for our purpose here.

Head over to Twilio website and create your free account.

Twilio Signup

On the signup page, you will be asked for the usual personal information. After that you will be asked which products you would like to use first.

Signup options

You need to select SMS and then select 2-factor authentication for ‘What you are building’ option. Finally select PHP for your programming language.

Once you have signed up for an account, you will reach your Twilio dashboard where you need to click on the get started button.

Get started with Twilio

This will take you to a settings wizard where you need to click on the ‘Get your first Twilio number’ button.

Get your Twilio number

It will bring up a popup showing a US based phone number. Copy and save this number in a text file and then click on the ‘Choose this number’ button.

Choose number

You can now exit the wizard and head over to Settings » Geo Permissions page.

Here you need to select the countries where you will be sending SMS. Since you are using the service to receive SMS for yourself, you can select the country you live in and countries you travel to.

Geo permissions

Next, you need to visit the Twilio console dashboard to copy your Account SID and Auth Token.

Copy account ID and Auth key

Now you have all the information that you need.

Go to the user profile page on your WordPress site and enter your Twilio Account SID, Auth token, and sender phone number.

Add your own phone number as the ‘Receiver Phone Number’.

Don’t forget to click on the ‘Update Profile’ button to save your settings.

You can now logout from your WordPress site to see the plugin in action.

On login screen, first you will provide your WordPress username and password. After that, you will receive a SMS notification on your phone, and you will be asked to enter the code you received.

Enter your SMS verification code

After entering the SMS code, you will be able to access your WordPress admin area.

Note: This method works great, but what if you are traveling and unable to receive text messages on your phone number?

Let’s solve this problem by adding a fallback option too.

2. Adding 2-Factor Verification to WordPress with Google Authenticator

As a fallback option, we will setup 2-Factor verification using Google Authenticator.

SMS verification will still be your primary verification method. In case you don’t get the SMS, you’ll still be able to login using the Google Authenticator app on your phone.

Head over to Users » Your Profile page and scroll down to two factor options section.

Two factor plugin settings

Click the Enabled checkbox next to ‘Time Based One-Time Password (Google Authenticator)’ and then click on ‘view options’ link to begin Google Authenticator setup.

Gauth options

You will now see a QR code which you will need to scan with the Google Authenticator app.

Go ahead and install Google Authenticator app on your phone.

Once you have installed the app, open it and click on the add button.

Add new account in Gauth

Now you need to scan the QR code shown on the plugin’s settings page using your phone’s camera.

The app will detect and add your website. It will also show you a six digit code. Enter the code in the plugin’s settings page, and you are done.

Don’t forget to click on the ‘Update Profile’ button to save your changes.

You can now logout of your WordPress site to see it in action.

First you will have to enter your WordPress username and password. After which you will be asked to enter SMS verification code.

Use your backup method to authenticate

If you didn’t get the SMS code, then you can click on ‘Use backup method’ link and enter the code generated by Google Authenticator app on your phone.

Troubleshooting

If you lose access to your phone, then you may be unable to login. See our guide on what to do when you are locked out of WordPress admin area to recover access to the admin area.

We hope this article helped you add 2-factor SMS verification for WordPress login. You may also want to see our step by step WordPress security guide for beginners.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

262 Shares
Share
Tweet
Share
Pin
Popular on WPBeginner Right Now!
  • Google Analytics in WordPress

    How to Install Google Analytics in WordPress for Beginners

  • How to Fix the Error Establishing a Database Connection in WordPress

    How to Fix the Error Establishing a Database Connection in WordPress

  • How to Properly Move Your Blog from WordPress.com to WordPress.org

  • How to Start Your Own Podcast (Step by Step)

    How to Start Your Own Podcast (Step by Step)

About the Editorial Staff

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi. Trusted by over 1.3 million readers worldwide.

The Ultimate WordPress Toolkit

10 Comments

Leave a Reply
  1. Bikash Rai says:
    Oct 24, 2019 at 8:36 am

    How to remove two factor authentication that I get every time I login. I want to simply get rid of this thing.
    Thanks in advance!

    Reply
    • WPBeginner Support says:
      Oct 24, 2019 at 10:31 am

      It would depend on which method you used to set it up, if you used the plugin then you would remove the plugin to remove the two factor authentication. Should you be unable to remove it, if you reach out to your hosting provider they should be able to assist.

      Reply
  2. MuZa says:
    Sep 5, 2019 at 2:42 am

    Hey please update this post. This plugin is too old and not tested on three major updates of WordPress.

    Reply
    • WPBeginner Support says:
      Sep 5, 2019 at 9:26 am

      Thank you for letting us know about the plugin not being updated we’ll be sure to take a look at it. The Two Factor SMS plugin is the only one not updated, the first plugin has been updated :)

      Reply
  3. Lisa Smith says:
    Jan 11, 2019 at 4:50 pm

    Found this to be really helpful related to Two Factor, but FYI – the Two Factor SMS plugin hasn’t been updated in several WP versions.

    Reply
    • WPBeginner Support says:
      Jan 14, 2019 at 1:24 pm

      Thank you for letting us know, we’ll be sure to take a look into this for other plugin options :)

      Reply
  4. Harman says:
    Jul 26, 2017 at 9:18 pm

    You can simply do it via wordpress.com.

    Reply
  5. Anna Walton says:
    Jun 23, 2017 at 9:44 am

    I’ve followed your exact instructions just now to set up 2FA with Twilio. I logged out after finishing the set-up as per the article, and now I can’t get back into my site! I get the code from Twilio, but it says there’s an error! Unfortunately, I’d not yet set up the 2FA with the authenticator app, as I followed the steps in the article, which was to log out first to see it working. Can you advise please? I’ve checked your article https://www.wpbeginner.com/wp-tutorials/locked-out-of-wordpress-admin/, but this doesn’t seem to cover getting locked out due to 2FA error. I use your site loads, and think your guidance is great! Please help on this one!!

    Reply
    • WPBeginner Support says:
      Jun 26, 2017 at 4:08 am

      Hi Anna,

      You can manually delete the plugin using FTP. Connect to your website and go to /wp-content/plugins/ folder and then delete two-factor and two-factor-sms folders. You can always reinstall the plugins after login.

      Reply
  6. Patrick Bartkus says:
    Jun 22, 2017 at 10:55 am

    FreeOTP is an Open Source alternative to Google Authenticator. It is not controlled by Google and is maintained by Red Hat under the Apache 2.0 license. It is available for iOS and Android. It also works on Google sites.

    Reply

Leave a Reply Cancel reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.

Over 1,320,000+ Readers

Get fresh content from WPBeginner

Featured WordPress Plugin
MonsterInsights
MonsterInsights
Google Analytics made easy for WordPress. Learn More »
How to Start a Blog How to Start a Blog
I need help with ...
Starting a
Blog
WordPress
Performance
WordPress
Security
WordPress
SEO
WordPress
Errors
Building an
Online Store
Useful WordPress Guides
    • 7 Best WordPress Backup Plugins Compared (Pros and Cons)
    • How to Fix the Error Establishing a Database Connection in WordPress
    • Why You Need a CDN for your WordPress Blog? [Infographic]
    • 30 Legit Ways to Make Money Online Blogging with WordPress
    • Self Hosted WordPress.org vs. Free WordPress.com [Infograph]
    • Free Recording: WordPress Workshop for Beginners
    • 24 Must Have WordPress Plugins for Business Websites
    • How to Properly Move Your Blog from WordPress.com to WordPress.org
    • 5 Best Contact Form Plugins for WordPress Compared
    • Which is the Best WordPress Popup Plugin? (Comparison)
    • Best WooCommerce Hosting in 2020 (Comparison)
    • How to Fix the Internal Server Error in WordPress
    • How to Install WordPress - Complete WordPress Installation Tutorial
    • Why You Should Start Building an Email List Right Away
    • How to Properly Move WordPress to a New Domain Without Losing SEO
    • How to Choose the Best WordPress Hosting for Your Website
    • How to Choose the Best Blogging Platform (Comparison)
    • WordPress Tutorials - 200+ Step by Step WordPress Tutorials
    • 5 Best WordPress Ecommerce Plugins Compared
    • 5 Best WordPress Membership Plugins (Compared)
    • 7 Best Email Marketing Services for Small Business (2020)
    • How to Choose the Best Domain Registrar (Compared)
    • The Truth About Shared WordPress Web Hosting
    • When Do You Really Need Managed WordPress Hosting?
    • 5 Best Drag and Drop WordPress Page Builders Compared
    • How to Switch from Blogger to WordPress without Losing Google Rankings
    • How to Properly Switch From Wix to WordPress (Step by Step)
    • How to Properly Move from Weebly to WordPress (Step by Step)
    • Do You Really Need a VPS? Best WordPress VPS Hosting Compared
    • How to Properly Move from Squarespace to WordPress
    • How to Register a Domain Name (+ tip to get it for FREE)
    • HostGator Review - An Honest Look at Speed & Uptime (2020)
    • SiteGround Reviews from 4196 Users & Our Experts (2020)
    • Bluehost Review from Real Users + Performance Stats (2020)
    • How Much Does It Really Cost to Build a WordPress Website?
    • How to Create an Email Newsletter the RIGHT WAY (Step by Step)
    • Free Business Name Generator (A.I Powered)
    • How to Create a Free Business Email Address in 5 Minutes (Step by Step)
    • How to Install Google Analytics in WordPress for Beginners
    • How to Move WordPress to a New Host or Server With No Downtime
    • Why is WordPress Free? What are the Costs? What is the Catch?
    • How to Make a Website in 2020 – Step by Step Guide
Deals & Coupons (view all)
Media Maestro Coupon
Get 30% OFF on Media Maestro WordPress media content management plugin.
Rocket coupon code
Rocket Coupon
Get 50% OFF on Rocket managed WordPress hosting plans for 3 months.
Featured In
About WPBeginner®

WPBeginner is a free WordPress resource site for Beginners. WPBeginner was founded in July 2009 by Syed Balkhi. The main goal of this site is to provide quality tips, tricks, hacks, and other WordPress resources that allows WordPress beginners to improve their site(s).
Join our team: We are Hiring!

Site Links
  • About Us
  • Contact Us
  • FTC Disclosure
  • Privacy Policy
  • Terms of Service
  • Free Blog Setup
  • Free Business Tools
Our Sites
  • OptinMonster
  • MonsterInsights
  • WPForms
  • SeedProd
  • Nameboy
  • RafflePress
  • Smash Balloon

Copyright © 2009 - 2021 WPBeginner LLC. All Rights Reserved. WPBeginner® is a registered trademark.

Managed by Awesome Motive | WordPress hosting by SiteGround | WordPress CDN by MaxCDN | WordPress Security by Sucuri.